DPDPA 2023 establishes a principles based framework. Key obligations for Data Fiduciaries include lawful processing with valid consent or legitimate use grounds, purpose limitation, data minimisation, accuracy, storage limitation, and security safeguards.
Data Principal rights include right to access information about processing, right to correction and erasure of personal data, right to grievance redressal, and right to nominate a representative. Data Fiduciaries must establish mechanisms to fulfil these rights within prescribed timelines.
Significant Data Fiduciaries (SDF) face additional obligations including Data Protection Officer appointment, periodic data audits, Data Protection Impact Assessments, and compliance with any additional conditions prescribed by the government. SDF classification will be based on volume and sensitivity of data processed, risk to data principal rights, and potential impact on national security.
The IT Act 2000 and SPDI Rules 2011 continue to apply alongside DPDPA for matters not covered by the new Act. Sectoral regulators (RBI, SEBI, IRDAI, TRAI) maintain their own data protection requirements that businesses must comply with in addition to DPDPA.
The Digital Personal Data Protection Rules, 2025, notified by MeitY in the Gazette on 13 November 2025, prescribe the detailed procedural architecture, consent management standards, breach notification timelines, cross border transfer mechanisms, Significant Data Fiduciary thresholds and DPIA cadence (Rules 12 and 13), Consent Manager registration, and Data Protection Board procedures. Substantive consent and breach obligations are enforceable from 13 May 2027; the Consent Manager framework commences 13 November 2026. Most provisions are now operational law on a defined transition runway, not a deferred mandate.